Privacy Policy
Last updated:
This Privacy Policy explains how Zavamed Weight Loss collects, uses, shares and protects your personal data when you use zavamedweightloss.co.uk, and describes your rights under UK GDPR and the Data Protection Act 2018.
1. Who we are (Controller)
Zavamed Weight Loss (“we”, “us”, “our”) is the data controller for personal data processed via zavamedweightloss.co.uk.
Registered/Trading address: [Insert business address, city, postcode, United Kingdom]
Email: privacy@zavafit.shop • Phone: +44 0000 000000
If appointed, our Data Protection Officer (DPO) can be reached at: dpo@zavafit.shop. ICO Registration No.: [Insert ICO number].
2. Data we collect
- Identity data: name, date of birth, gender.
- Contact data: email, phone, billing/shipping address.
- Account data: login, preferences, order history, support tickets.
- Health & medical intake data (if applicable): information you provide during consultations or forms relevant to weight-loss treatment (see Section 5).
- Transaction data: products purchased, payment amount, refund details (payment card data is handled by our payment providers).
- Technical data: IP address, device type, browser, OS, approximate location, cookies, and similar technologies.
- Usage data: pages viewed, session duration, click paths, referral sources.
- Marketing data: your preferences for receiving marketing by email/SMS.
3. How we collect data
- Directly from you when you create an account, place an order, complete medical/intake forms, participate in teleconsultations, or contact support.
- Automatically through cookies, analytics, and similar technologies when you browse our site.
- From third parties such as payment processors, identity verification partners, logistics providers, or healthcare professionals who support your treatment (where applicable).
4. Why we use data & lawful bases
We process personal data only when we have a lawful basis under UK GDPR:
| Purpose | Examples | Lawful basis |
|---|---|---|
| Provide our services & fulfil orders | Account setup, dispensing/dispatch, customer support | Contract (perform a contract or take steps at your request) |
| Clinical/telemedicine services (if applicable) | Consultations, medical assessments, treatment planning | Public interest in healthcare / Health care purposes (see Section 5) |
| Payments & fraud prevention | Process payments, detect/prevent fraud/abuse | Legal obligation; Legitimate interests |
| Communications | Service messages, order updates | Contract; Legitimate interests |
| Marketing | Newsletters, offers | Consent (or “soft opt-in” under PECR for similar products to existing customers) |
| Analytics & site improvement | Understand use, fix bugs, improve UX | Consent (for non-essential cookies); Legitimate interests (limited, privacy-preserving analytics) |
| Legal & compliance | Record-keeping, responding to regulators | Legal obligation |
5. Special category data (health)
Lawful basis (Article 6): Contract; Legal obligation; Legitimate interests (as applicable).
Additional condition (Article 9 UK GDPR): processing is necessary for health or social care purposes and the management of healthcare systems and services (Art. 9(2)(h)), and/or for reasons of substantial public interest where applicable. We apply appropriate safeguards and access controls. Do not send us health information unless requested or required for your care.
7. International transfers
Your data may be transferred outside the UK/EEA. Where this occurs, we rely on lawful transfer mechanisms such as an adequacy decision or the UK’s International Data Transfer Agreement (IDTA) / EU Standard Contractual Clauses, with additional safeguards as needed.
8. Security
We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, staff training, secure development practices, and vendor due diligence. While no system is perfectly secure, we work to protect your data against unauthorised access, alteration, disclosure or destruction.
9. Retention
We keep personal data only as long as necessary for the purposes described above:
- Account & order records: typically 6 years for tax/audit.
- Clinical records (if applicable): retained according to healthcare regulations and professional guidance.
- Marketing data: until you withdraw consent or object.
- Cookies/analytics: per the lifetimes listed in our Cookie Policy.
10. Marketing & communications
We send marketing only with your consent (or under PECR soft opt-in for existing customers buying similar products). You can opt out anytime via unsubscribe links or by contacting us. Service and transactional emails are not marketing and you cannot opt out of those essential messages.
12. Your rights
Under UK GDPR you have the right to:
- Access your personal data (Subject Access Request).
- Rectify inaccurate or incomplete data.
- Erase data in certain circumstances (“right to be forgotten”).
- Restrict processing in certain circumstances.
- Data portability (receive your data in a usable format).
- Object to processing based on legitimate interests or to direct marketing.
- Withdraw consent at any time where we rely on consent.
To exercise a right, email privacy@zavafit.shop. We may need to verify your identity. We aim to respond within one month.
13. Contact & complaints
If you have questions or concerns about this notice or your data, contact us at privacy@zavafit.shop.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk.
14. Changes to this notice
We may update this Privacy Policy from time to time. Material changes will be highlighted on this page. Your continued use of the site after changes take effect signifies your acceptance.
